This handler should have a configuration option to support using Vault to authenticate incoming messages, with the option to either only accept authenticated messages or to simply mark them as such - perhaps even cryptographically signed.

This way messages of import cannot be faked by just hitting the URL with a post, but generic notifications that are low risk (such as "Coffee's done!") can be sent w/out a lot of overhead.